Securing Access to Cloud Computing for Critical Infrastructure

(1)

Securing Access to Cloud Computing for Critical

Infrastructure

Younis A. Younis

A thesis submitted in partial fulfilment of the

requirements of Liverpool John Moores University

for the degree of Doctor of Philosophy

(2)

i

Abstract

Cloud computing offers cost effective services on-demand which encourage critical infrastructure providers to consider migrating to the cloud. Critical infrastructures are considered as a backbone of modern societies such as power plants and water. Information in cloud computing is likely to be shared among different entities, which could have various degrees of sensitivity. This requires robust isolation and access control mechanisms. Although various access control models and policies have been developed, they cannot fulfil requirements for a cloud based access control system. The reason is that cloud computing has a diverse sets of security requirements and unique security challenges such as multi-tenant and heterogeneity of security policies, rules and domains.

This thesis provides a detailed study of cloud computing security challenges and threats, which were used to identify security requirements for various critical infrastructure providers. We found that an access control system is a crucial security requirement for the surveyed critical infrastructure providers. Furthermore, the requirement analysis was used to propose a new criteria to evaluate access control systems for cloud computing. Moreover, this work presents a new cloud based access control model to meet the identified cloud access control requirements. The model does not only ensure the secure sharing of resources among potential untrusted tenants, but also has the capacity to support different access permissions for the same cloud user.

Our focused in the proposed model is the lack of data isolation in lower levels (CPU caches), which could lead to bypass access control models to gain some sensitive information by using cache side-channel attacks. Therefore, the thesis investigates various real attack scenarios and the gaps in existing mitigation approaches. It presents a new Prime and Probe cache side-channel attack, which can give detailed information about addresses accessed by a virtual machine with no need for any information about cache sets accessed by the virtual machine. The design, implementation and evaluation of a proposed solution preventing cache side-channel attacks are also presented in the thesis. It is a new lightweight solution, which introduces very low overhead (less than 15,000 CPU cycles). It can be applied in any operating system and prevents cache side-channel attacks in cloud computing. The thesis also presents a new detecting cache side-channel attacks solution. It focuses on the infrastructure used to host cloud computing tenants by counting cache misses caused by a virtual machine. The detection solutions has 0% false negative and 15% false positive.

(3)

ii

Acknowledgements

It is a pleasure to thank my Mother and Father, who made this thesis possible and gave me everything they have got in order to support me to reach this stage.

I offer my regards and blessings to my wife who supported me in any respect during the completion of the project. She has been always behind me.

I am heartily thankful to my director of study Dr. Kashif Kifayat, whose encouragement, supervision and support from the preliminary to the concluding level enabled me to develop an understanding of the subject. His help and guidance have kept me focused and enabled me to successfully complete this project.

I would like to give sincere thanks to Professor Madjid Merabti, who offered me many words of encouragement, support and advice throughout my project. I would like also to thank Professor Qi Shi and Dr. Bob Askwith for their support and help.

Lastly, I would like to thank all my friends, who supported and advise of me through the project.

(4)

iii

CHAPTER 1

Introduction

This chapter gives a brief introduction to cloud computing in terms of services and security challenges. It also provides basic information about critical infrastructure, its importance to our daily life and its security requirements. In addition, it covers the importance of access control systems to data security and why conventional access control models cannot be deployed in their current state in the cloud. Some information about access control systems’ security attacks in general and cache side-channel attacks in particular are also presented here. This chapter also shows our aims and objectives, the motivation behind this project, the novel contributions and the structure of the thesis.

1.1Cloud Computing

Cloud computing is an open standard model, which is Internet-centric and provides various services either software or hardware. It offers new cost effective services on-demand such as Software as a service (SaaS), Infrastructure as a service (IaaS) and Platform as a service (PaaS). A significant interest in both industry and academia has been generated to explore and enhance cloud computing. It has five essential characteristics: on-demand self-service, measured service, rapid elasticity, broad network access and resource pooling. It is aiming at giving capabilities to use powerful computing systems with reduced cost, increased efficiency and performance [1]. It consolidates the economic utility model with the evolutionary enhancement of many utilised computing approaches and technologies, which include computing infrastructure consisting of networks of computing and storage resources, applications and distributed services. Moreover, there is an ongoing debate in Information Technology (IT) communities about how the cloud computing paradigm differs from existing models and how these differences affect its adoption. One view considers it as a modern or a fashionable way to deliver services over the Internet, while others see it as a novel technical revolution [2]. However, they have agreed that cloud computing gives a new hope for meeting various requirements of service providers and consumers as well. Hence, governments, enterprises and even critical infrastructure providers are considering migrate to cloud computing.

1.2Critical Infrastructure

Critical infrastructures are a crucial assets for the functioning of vital societal services such as power distribution networks and financial systems [3]. The importance of critical

(13)

2

infrastructures is hard to overestimate, and even relatively minor failures can impact on a large number of people e.g. on 31st March 2015 Turkey has suffered a huge power cut affecting almost the whole country [4] due to a cyber-attack. This unexpected power cut caused complete shutdown to public transport and big disruption to air traffic controllers. This incident highlights the importance of keeping such systems running. Failures can result in serious consequences for the functioning of society. It is an alarming situation as an attacker can use a laptop or computer to disrupt the national infrastructures.

Critical Infrastructure Providers (CIP) have started to use the cloud computing due to many benefits. However, there are still many challenges such as multi-tenant billing, virtualization with very strong isolation, Service Level Agreements (SLA), definitions and automatic enforcement mechanisms, end-to-end performance and security mechanisms. One of the objectives of this project is to investigate cloud computing security issues, which hinder migration of CIP to the cloud and also perform requirement analysis for different CIP users to utilise the cloud.

1.3Cloud Computing Security Challenges

With all of these promising facilities and benefits that cloud computing can offer, there are still a number of technical barriers that may prevent cloud computing from becoming a truly ubiquitous service. Security is the main inhibitor to cloud adoption. Cloud computing may inherit some security risks and vulnerabilities from the Internet, such as malicious code (Viruses, Trojan Horses). In addition, cloud computing suffers from data privacy issues and conventional distributed systems attacks i.e. Distributed Denial of Service attacks (DDoS), which could have a huge impact on its services. Moreover, cloud computing has brought new concerns such as moving resources and storing data in the cloud with a probability of residing in another country with different regulations. Computing resources could be inaccessible due to many reasons such as natural disaster or denial of service.

Cloud computing services may be delivered by a large number of service providers. They use various types of technologies, which may cause heterogeneity problems [5]. Extensibility and shared responsibilities is another concern as up to now it is not clear, how security duties should be assigned in cloud computing and who is responsible for what [6]. Furthermore, virtualization is one of many ways used in cloud computing to meet their consumer necessities,

(14)

3

but it brings its own threats such as penetrating the logical isolation between virtual machines and side-channels [7].

Cloud computing provides the perfect platform to lunch cyber-attacks. Many of these attacks are commonly encountered in the wider Internet such as Distributed Denial-Of-Service (DOS) attack [8], insecure application programming interface [9], abuse and nefarious use of cloud computing [9], malicious insiders [9], and access control issues.

1.4Access Control

An access control system is a crucial requirement to secure assets against unauthorised access in a cloud environment. However, there are still many questions which raise issues e.g. service providers in cloud computing are likely to be outside the trusted domain of users and resided in an another country with different law and regulations [10]. Furthermore, access control systems can be more complex and sophisticated due to dynamic resources [11] heterogeneity [12] and diversity of services [13].

There are various traditional access control models and policies for different environment such as Mandatory Access Control (MAC) model, Discretionary Access Control (DAC) model and Role Based Access Control (RBAC). These models cannot fulfil cloud’s access control requirements due to a diverse set of users and platforms with different sets of security requirements. More details can be found in chapter 2 section 2.2.1. Cloud computing also has unique security challenges such as multi-tenant hosting and heterogeneity of security policies, rules and domains. We believe these models may not fully cover access control requirements of cloud computing as each one of them has been proposed for a specific environment to fulfil consumers’ access control requirements.

Deploying a robust access control model would make cloud service providers and their clients confident about confidentiality and integrity of their data, yet there are a number of common techniques and attacks that can be used to gain unauthorized access to data such as session hijacking or TCP hijacking. In addition, password attacks such as dictionary attack are still used to bypass access control systems. All of the mentioned attacks target the application level. However, there are number of attacks at lower levels such as CPU caches which can have severe impacts on data access control. One of these attacks is a channel. Some side-channels can be used without interfering with other cloud tenants’ customers to gain some sensitive information, for instance, cache side-channel attacks [14].

(15)

4

1.5Cache Side-Channel Attacks

Cloud computing supports multi-tenancy to fulfil future increasing demands for accessing and using resources provided over the Internet. Multi-tenancy enables the sharing of computing physical resources among cloud computing tenants and offers cost-effective on-demand scaling. However, multi-tenancy in cloud computing has unique vulnerabilities such as clients’ co-residence and virtual machine physical co-residency. Physical co-residency of virtual machines in cloud computing has been exploited to leak sensitive information and launch sophisticated security attacks. It can facilitate attackers with an ability to interfere with another virtual machine running on the same physical machine due to an insufficient logical isolation. In the worst case scenario, attackers can extract sensitive data using hardware side-channels on the same physical machine.

Side-channel attacks exploit the correlation between the higher level functionality of the software and the underlying hardware phenomena. There are various types of side-channel attacks, which are classified according to the hardware medium they target and exploit, for instance, cache side-channel attacks. CPU caches are one of the most common hardware devices targeted by adversaries because they have high-rate interactions and sharing between processes. Furthermore, full encryption keys of well-known algorithms (i.e. RSA and AES) have been broken using spying processes to spy and collect information about cache lines, which have been accessed [2,3]. This information is analysed and linked to the current virtual machine, which occupies the processor.

There are number of proposed solutions to prevent and detect cache side-channel attacks in cloud computing [17,18,19,20,21]. Firstly, the prevention solutions can be either hardware or software based. Although hardware-based techniques seem to be more secure to implement as they are more efficient and thwart the root cause of those attacks, they cannot be practically applied until CPU makers implement them into CPUs. Furthermore, software-based mitigation techniques are attack-specific solutions, which can only tackle attacks that they are proposed for. Consequently, these solutions might not have the ability to mitigate new side-channel attacks.

Secondly, most of the detection tools fail due to the deceived normal behaviour of cache side-channel. On the other hand, detecting solutions mainly rely on software and applications to detect any abnormal behaviour on the CPU cache. These applications and software have to will

(16)

5

slow down the CPU and caches’ operations and introduce unwanted overload, which will affect the CPU performance.

1.6Motivations for the Project

The motivation for this project came from the author’s quest to understand the cloud computing security challenges and threats; and analyse the level of security access provided to either cloud service providers or their tenants in order to secure access to the data. This included investigation of security requirements for different critical infrastructure service providers. Among many security requirements, a cloud based access control model has been found one of the crucial security requirements. The author conducted a detailed requirement analysis for proposing a cloud based access control model that can fulfil the security requirements of cloud computing services. Data in a cloud computing environment will be shared among different entities. These entities have various degrees of sensitivity. Current access control models suffer from semantic and heterogeneity problems, which affect used policies and methods used to translate the policies. A cloud based access control model has to insure access to data in all computation levels from users’ levels to lower levels; and deal with data leakage at lower level such as CPU caches. However, the used access control models either the conventional access control models or the proposed for cloud computing cannot control access to data at the lower level resources such as RAM and CPU caches. Therefore, this motivates the author to investigate the effects of cache side-channel attacks on cloud computing and available proposed solutions to mitigate them.

In addition, the author’s knowledge about securing access to cloud computing is intended to be enhanced throughout this multifaceted project. With very little experience in extensive research, and also the techniques employed in solving the issues, it is believed that this project will pose some significant challenges. However, the author believes that the outcome will be worthwhile as it would contribute to global knowledge and also demonstrate how cloud computing can be utilised securely to offer secure access to its services for tenants such as critical infrastructure providers.

1.7Aims and Objectives of the Project

This project aims to propose an access control model for cloud computing to meet the security requirements of cloud service providers and their customers such as critical infrastructure providers. It will also enhance the level of security of accessing data in lower levels such as

(17)

6

CPU caches by providing detecting and prevention solutions to any leakage of information by cache side-channel attacks.

The key objective is to produce a cloud based access control model, through exploratory research that results in achieving these aims. The purpose of this research is:

1. To identify cloud computing security challenges, concerns and threats for cloud service providers and their customers.

2. To perform critical infrastructure providers’ security requirements analysis for different critical infrastructure providers.

3. To identify gaps in conventional access models (RBAC, MAC, etc.).

4. To perform a requirement analysis for cloud based access control systems and provide new evaluation criteria for cloud based access control systems.

5. To provide a simplified output model where data can be secured from unauthorized access at all levels from application levels to processing levels.

6. To identify threats of side-channel attacks that can be used to bypass isolation levels enforced by access control policies.

7. To provide an efficient detection solution to identify cache side-channel attacks in cloud computing without affecting the performance or asking for any modifications to customers’ operating systems.

8. To facilitate cloud computing service providers with a prevention solution that prevents cache side-channel attacks without affecting the CPU caches’ performance.

9. To implement the proposed solutions in an identical environment to cloud computing with various number of virtual machines.

10.To compare the obtained results from the proposed solutions with various results from other prevention and detection cache side-channel attacks solutions that are implemented in the same environment.

11.To publish the results of this project in well-regarded peer reviewed international journals and conferences.

(18)

7

1.8Contributions

In this project, we have fulfilled all the stated objects in section 1.7. We started looking at cloud computing security challenges for cloud service providers and their customers such as critical infrastructure providers. Security requirements for different critical infrastructure providers were analysed and the conducted analysis led to the chosen of cloud based access control security challenges. We done a security requirement analysis for cloud based access control systems, identified challenges for deploying conventional access models (RBAC, MAC, etc.) in cloud computing and presented new evaluation criteria for cloud based access control systems. The requirement analysis for cloud based access control systems facilitated proposing a new cloud based access control model that can fulfil the surveyed security requirements of cloud computing customers. As the proposed cloud access control model has a number of components, we focused on identifying threats to isolation levels enforced by the cloud based access control model in lower levels (CPU caches). Specifically, we looked at cache side-channel attacks. We proposed two new solutions to prevent and detect cache side-side-channel attacks in cloud computing. Both of the proposed solutions were fully implemented on a server identical to cloud computing servers. Due to the size of the RAM (16 GB), we could not run more than 30 virtual machines on the server at the same time. Furthermore, results obtained from our solutions to prevent and detect cache side-channel attacks are by far better than results gained from other prevention and detection proposed solutions implemented in the same server.

The contributions of this thesis can be respectively categorized in the following:

1. Critical infrastructure providers’ security requirements

This project presents a list of security requirements for different critical infrastructure providers to be moved to cloud computing. This list covers more than four sectors of critical infrastructure areas, which can also be applied to the other areas. The details can be found in section 3.1 in the chapter three: related work.

2. Requirements analysis for cloud based access control systems

In order to propose a cloud based access control model, we have carried out an in-depth investigation to identify every possible security requirements needed for cloud based access control model. It is demonstrated in section 3.2.

(19)

8

3. A novel guidelines criterion for cloud based access control models

This project illustrates novel guidelines criteria, which is shown in section 3.3. It can be used either to propose or evaluate access control models for cloud computing.

4. The cloud access control model contributions

Chapter 4 presents a novel access control model for cloud computing that facilitates the role and task principles to restrict access to cloud computing resources. Major contributions in the cloud access control model are as follows:

 It ensures a secure cloud that has sharing of physical resources among potential untrusted tenants.

 It has three different security levels, which can be used according to level of trust.

 It supports various sensitive levels of information in order to restrict who can read and modify information in the cloud.

 It copes with different access permission to the same cloud user and giving him/her the ability to use multiple services with regard to time of authentication and login.

5. A new Prime and Probe attack

It is a new way to launch cache side-channel attack without utilising the link between memory pages and CPU cache sets. It uses a virtual machine’s virtual addresses and translates them to physical. These addresses will be checked either accessed by another virtual machine or not in order to get the virtual machine’s data. The details can be found in section 5.1.

6. A novel lightweight solution to prevent cache side-channel attacks in cloud computing

Section 5.2 in chapter 5 illustrates a novel solution to deal with leakage of data from all levels of the CPU caches by preventing cache side-channel attacks. The major contributions in the novel lightweight solution are as follows:

(20)

9

 The solution erases all data related to a Virtual Machine (VM) from all CPU cache levels directly after its Virtual CPU (VCPU) releases the control of the CPU resources and does not erase or modify any data that does not belong to the targeted VM.

 The first solution to deal with a VCPU and target all its overlapping situations.  It is generic and can be used with any operating system (the Xen hypervisor is compatible with many operating systems such as Windows, Linux (Ubuntu, SUSE, etc.), etc.).

 The solution induces neglected performance overhead.

 All the tenants’ operating systems are completely free from any modifications or changing in their applications or libraries.

 It uses Clflush to erase virtual addresses from cache by utilising the Linux Ubuntu operating system.

 The solution can deal with all overlapping access and core migration in the following cases:

 Number of VMs or domains overlapping access to one VCPU.

 Number of VMs or domains overlapping access to number of VCPUs.  Number of VCPUs overlapping access to a CPU core.

 A VCPU migrates from a CPU core to another.

7. A novel infrastructure detection solution to detect cache side-channel attacks in cloud computing

One of our main contributions is a novel solution that can detect cache side-channel attacks in cloud computing without needing for any other software to detect cache misses caused by a virtual machine. It is demonstrated in section 5.3. Furthermore, major contributions in the novel infrastructure detection solution are as follows:

(21)

10

 The solution measures cache misses caused and when they happen by a VM in its execution time without using any attached software or application.

 It measures the time taken by CPU Fetch cycle to detect CPU cache misses.  The solution has a small performance overhead.

 The hypervisor used in the cloud infrastructure does not require any major modifications.

 All the tenants’ operating systems are completely free from any modifications or changing in their applications or libraries.

1.9Outline of the Chapters

The report is divided into 8 chapters, each covering a specific area of the project work. The following outline sections provide an overview for each of the chapters to guide the reader through the report.

Chapter 1 Introduction: This chapter details the overall aims of the project and what it hopes to achieve. It briefly discusses the background of the project and justification as to why the project was conducted. The final part of this introductory section provides a general overview of each of the chapters in the report.

Chapter 2 Background: This chapter looks in-depth at cloud computing in terms of its features, services and security challenges. Here, the author highlights basic information about access control systems. It also illustrates the conventional access control models and reasons for not being deployed as they are in the cloud. The chapter also provides basic information about access control attacks and a concise review of cache side-channel attacks and previous research work in this domain, and how far they went in solving identified issues.

Chapter 3 Related Works: Here, the author sets out the definition of critical infrastructure and how it is crucial to societies. A novel analysis of security requirements of various critical infrastructure providers is demonstrated in this chapter. Furthermore, this chapter highlights the importance of an access control system to cloud service providers and their tenants. A new cloud based access control criteria are presented in this chapter.

(22)

11

Chapter 4 Access Control Model For Cloud Computing: This chapter presents the proposed solution model and its design methodology. The author also describes the implementation strategies, a security evaluation, a case study, analysis and discussion of characteristics of the proposed solution.

Chapter 5 The Prevention and Detection Solutions to Cache Side-Channel Attacks in Cloud Computing: This chapter presents a new Prime and Probe attack. In this type, attackers do not have to have any information about number of cache lines or memory pages. Furthermore, novel solutions to prevent and detect cache side-channel attacks are illustrated in this chapter. They are a novel lightweight solution to prevent cache side-channel attacks in cloud computing and a novel infrastructure solution to detect cache side-channel attacks in cloud computing. This chapter details the intended goals to be achieved for both solutions and the design of them.

Chapter 6 The Implementation of the Proposed Prevention and Detection Solutions to Cache Side-Channel Attacks: This chapter illustrates full details about the testbed, which is used to implement cache side-channel attacks prevention and detection solutions. It justifies the reasons behind using the Xen hypervisor and gives full explanation about how both solutions are implemented in the Xen hypervisor source code.

Chapter 7 Results and Evaluation of the Prevention and Detection Solutions to Cache Side-Channel Attacks: This chapter sets out the evaluation results, which were gained from a number of conducted experiments. The results were compared with other results from a number of proposed solutions implemented in the same conditions used to test our solutions.

Chapter 8 Conclusion and Future Works: This chapter summarises the entire project and reviews the findings. It also outlines future work that can be done to improve the project.

CHAPTER 2

Background

This chapter provides an overview of the necessary background on cloud computing services and security challenges. It also presents detailed information about access control’s definition and models; and why they cannot be deployed in their current state in the cloud. Furthermore, it illustrates a number of security attacks that target access control systems. It provides a concise

(23)

12

review of side-channel attacks, specifically cache side-channel attacks. Previous research work in cache side-channel attacks and their specific threat to cloud computing are also illustrated here.

2.1Cloud Computing

In recent years, we have seen a dramatic growth in IT investments, and a new term has come to the surface which is, cloud computing. The National Institute of Standards and Technology defines the cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction” [1]. Cloud computing is an open standard model, which is Internet-centric and provides various services either software or hardware. It needs minimal management effort from service providers. A significant interest in both industry and academia has been generated to explore and enhance cloud computing.

Cloud computing can enable ubiquitous computing and offer on-demand network access to a shared pool of configurable computing resources. It provides all of its resources as services such as storage, computation and communication. Cloud computing is a unique combination of capabilities and innovation technologies. It needs minimal management effort from service providers and delivers scalable and dynamic infrastructure, global/remote access and usage control and pricing. Furthermore, it changes delivery platform, services consumption and the way users and businesses interact with IT resources. It consolidates the economic utility model with the evolutionary enhancement of many utilised computing approaches and technologies, which include computing infrastructure consisting of networks of computing and storage resources and applications.

Cloud computing has a number of unique features, for example, virtualization and multi-tenant. It has five essential characteristics: on-demand self-service, measured service, rapid elasticity, broad network access and resource pooling. It is aiming at giving capabilities to use powerful computing systems while reducing the cost and increasing efficiency and performance [1]. In addition, it offers users scalable services on-demand, which will be used in cloud computing to provide services to a wide variety of consumers [22]. As illustrated in figure 1, these service models are:

(24)

13

Figure 1: The cloud computing service models

1. Software as a Service (SaaS)

It is on-demand applications and software service, which hosts applications and their data in the cloud. Software and applications are available to be accessed anywhere at any time by using ordinary web browsers over the Internet.

2. Platform as a Service (PaaS)

PaaS will facilitate cloud computing customers with the ability to build, enhance and deploy their application without the complexity of configuration, cost of managing and buying the underlying either software or hardware.

3. Infrastructure as a Service (IaaS)

It offers cloud computing consumers computing infrastructure components such as storage, processing and any other computing resources. It supplies virtualized infrastructures, which are bought or rented as a fully outsourced service.

In cloud computing, there are four architectures have been considered for being ways to address cloud computing customers’ demands [23], they are described as follows:

1. Public cloud

Cloud computing resources are provided by a service provider whom makes them accessible and available to industry groups and general public.

(25)

14 2. Community cloud

It is another kind of cloud, which is shared by various organizations and offers shared infrastructure for a specific community.

3. Private cloud

It is supplied and managed by a cloud service provider for a single organization.

4. Mixed cloud

It is a combination between two or more clouds such as public, private or community clouds. However, these mixed clouds will remain unique entities.

Cloud computing gives a new hope for meeting various requirements of service providers and consumers as well, when they look at what the cloud can offer to them. A report from The Economist Intelligence Unit and IBM finds that among 572 business leaders surveyed, almost three-fourths indicate their companies have piloted, adopted or substantially implemented cloud in their organizations and 90% expect to have done so in three years. Moreover, a number of respondents whose companies have “substantially implemented” cloud is expected to grow from 13% today to 41% in three years [24]. A new report published April 2014 by the Right Scale, finds that among 1000 IT executives surveyed, almost 94% indicate their companies are running Software as a Service (SaaS) or experimenting infrastructure as a Service (IaaS). Furthermore, 87% of surveyed organizations are utilising public cloud services [25].

The unique benefits of cloud computing have provided the basis for many critical infrastructure providers to migrate to the cloud computing paradigm, for example, IBM and Cable & Wireless (C&W) have announced plans to collaborate in the development of a cloud-based smart metering system[26]. This system aims at deploying about 50 million smart meters in the UK by 2020. BT has deployed a new cloud-based supply chain solution to increase the operational efficiency, improve customer service and optimize reverse logistics [27]. In April 2013, the National Grid, the UK’s gas and electricity network, has announced plans to replace its own internal datacentres with a CSC-hosted cloud [28]. However, with all of these promising facilities and benefits, there are still a number of technical barriers that may prevent cloud computing from becoming a truly ubiquitous service. Especially where the cloud computing tenants have strict or complex requirements over the security of infrastructures [23].

(26)

15

2.1.1 Cloud Computing Security Concerns

The latest cyber-attacks on high profile firms (Amazon, Google and Sony’s PlayStation) and the predictions of more cyber-attacks on cloud infrastructure are threatening to slow the take-off of cloud computing. The numbers of cyber-attacks are now extremely large and their sophistication so great, that many organizations are having trouble determining which new threats and vulnerabilities pose the greatest risk and how resources should be allocated to ensure that the most probable and damaging attacks are dealt with first. These security concerns and attacks could slow the growth of the cloud computing market, which is expected to reach $3.2 billion in 2013 in Asia alone, while the global market could reach $55 billion in 2014 [22].

Security is the greatest inhibitor for adoption and the primary concern in cloud computing. Cloud computing inherits some security risks and vulnerability from the Internet, such as malicious code (Viruses, Trojan Horses). In addition, cloud computing suffers from conventional distributed systems security attacks, which could have a huge impact on its services such as back door, Man-in-the Middle attack, and etc. Moreover, cloud computing has brought new concerns such as moving resources and storing data in the cloud with the probability of residing in another country, which has different regulations. A cloud service provider has to ensure its computing resources are fully usable and available at all times [29]. Computing resources could be inaccessible due to many reasons such as natural disaster or denial of service. Protecting data privacy is another aspect in cloud computing security. Cloud computing is a shared environment, which uses sharing infrastructure. Hence, data may face a risk of disclosure or unauthorized access.

Cloud computing services are delivered by a large number of service providers. They use various types of technologies, which cause heterogeneity issues [5]. Extensibility and Shared Responsibilities is another concern as up to now it is not clear, how security duties should be assigned in cloud computing and who is responsible for what [6]. Furthermore, virtualization is one of many ways used in cloud computing to meet their consumer requirements, but it brings its own threats such as data isolation problems and communication between virtual machines [7]. Cloud computing makes cyber-attacks more likely; many of these attacks are among the most potential and commonly encountered in the wider Internet such as Distributed Denial-Of-Service (DOS) attack [8], insecure application programming interface, abuse and nefarious use of cloud computing, malicious insiders [9], etc.

(27)

16

Information in cloud computing is more likely to be shared among different entities, which could have various degrees of sensitivity. Therefore, it would require strong isolation and controlling access mechanisms. In order to draw the whole picture, we have done an in-depth investigation to find and analyse the cloud security challenges and security requirements for different users, e.g. critical infrastructure service providers.

Cloud computing is a shared open environment, which has its own characteristics and features such as on-demand services and mobility. Thus, cloud service providers need a strengthened access control system for controlling access to their resources with the ability to monitor who deals with them. They should have the ability to deal with dynamic and random behaviours of cloud consumers, and heterogeneity and diversity of service.

An access control system is a collection of components and methods that are concerned with giving right activities to legitimate users based upon preconfigured access permissions and privileges outlined in the access security policy [30]. Access control models in cloud computing can be very complex and sophisticated due to dynamic cloud computing resources [11]. Entities in cloud based access control models are likely to reside in various trusted domains and may be located in another country that has different regulations. Thus, they may not trust each other [31]. Furthermore, existing access control models suffer from the lack of flexibility in attribute management. Heterogeneity and diversity of service are another concern in designing an access control model for cloud commuting [12]. Diversity of access control policies and various access control interfaces can cause improper interoperability [32].

2.2Access Control

Enterprises and organizations need to make sure the intended users can access information with the exact level of access, no less and no more. Dealing with such secure access requirements are not an easy task with the growing demand on IT-Infrastructure. Thus, IT experts, researchers and institutions have searched for access control systems that can fulfil their security requirements. An access control system is a collection of components and methods that determine the correct admission to activities by legitimate users based upon preconfigured access permissions and privileges outlined in the access security policy [30]. The fundamental goal of any access control system is restricting a user to exactly what s/he should be able to do and protect information from unauthorized access. Generally, a vulnerable access control system can lead to revealing of customers’ data and give the attackers the ability to infiltrate

(28)

17

organizations and their assets with the ability to bring the system down. Moreover, there is a wide variety of methods, models, technologies and administrative capabilities used to propose and design access control systems. Thus, each access control system has its own attributes, methods and functions, which derive from either a policy or a set of policies. According to NIST( National Institute of Standards and Technology) any access control system should have all of following terms or a number of them [33]:

1. Subject

It is any active entity, which requests access to an object or data within an object such as a user, a process.

2. Object

It is a passive entity which has or receives data.

3. Action

It is an active process that is used by a subject to perform an action on an object such as read, write and execute.

4. Capability

It determines a subject’s available actions and is associated with it.

5. Privileges

They are used to reduce granted space of access to authorized users to a specific number of users.

In the access control system planning, there are three primary abstractions: access control policies, models and mechanisms [33]. Access control policies are high-level requirements, which are used to determine who can access data and under what circumstances. A mechanism is employed to translate these policies. In case any gap is found between a mechanism and a policy, a model has to solve it. Furthermore, there are three crucial components in any access control system, which are Identification, Authentication and Authorization [34]. When a subject supplies information to identify him/herself to an authentication service it is called identification, for example username or account number. Authentication is verifying the

(29)

18

identity of a subject to recognize a legitimate user. The authentication mechanism can be based upon what the user has (smart card), what the user is (biometrics) or what the user knows (PIN or password). Authorization is the process of granting or denying an identified user a permission to access and perform certain operations on the system resources.

2.2.1 Why Conventional Access Cannot Be Utilised in Cloud Computing?

Cloud computing is a shared open environment, which has its own characteristics and features such as on-demand services and mobility. Thus, cloud service providers need a strengthened access control system for controlling admission to their resources with the ability to monitor precisely who accesses them. They should have the ability to deal with dynamic and random behaviours of cloud consumers, heterogeneity and diversity of services. In this subsection, a background about conventional access control models and why they cannot be deployed in the cloud are presented. It also illustrates fundamental requirements for cloud based access control models and existing proposed solutions.

Due to differences in requirements for military and commercial security policies, two distinctive kinds of policies had to be developed, these produced two different access control models which are Discretionary Access Control (DAC) and Mandatory Access Control (MAC) [35]. These models have a number of flaws, which led to the proposal of other models such as Role-Based Access Control (RBAC). However, we believe these models cannot work in cloud computing as each one of them was proposed for a specific environment to fulfil consumers’ security requirements.

(30)

19

2.2.1.1 Mandatory Access Control (MAC) Model

In the Mandatory Access Control (MAC) model, a central authority is in command of giving access decisions to a subject that request access to objects or information in objects. In order to secure access to objects and the information that flows between objects, MAC assigns an access class to each subject and object. An access class is a security level that is used to secure the flow of information between objects and subjects with dominance relationship. Object classifications are security labels that are used to classify objects based upon the sensitivity of information they have. Subject clearances are security levels used to reflect the trustworthiness or rules of subjects. The early formula and most well-known relationships were proposed by [36]. This model is also known as multilevel security and uses only two properties no-read-up and no-write-down as shown in figure 2. The Bell LaPadula model has concentrated on securing and controlling data flow, but protecting the confidentiality in a system is not the only goal in securing information. Hence, [37] used the same principles utilised by Bell LaPadula model to propose a model for protecting the integrity of objects.

Although the mandatory access control model provides protection against information flow and indirect information leakages, it does not guarantee complete secrecy of the information either in the Bell LaPadula model or the Biba model. For example, any unclassified subject can write into top secret objects, and could cause improper modifications to objects and violate their integrity. In fact, this model is very expensive and difficult to deploy and does not support separation of duties, least privilege, and delegation or inheritance principles. Dynamic activation of access rights for certain tasks is not supported. Moreover, it does not support time and location constraints. It needs a precise management system for dealing with system components that reside either inside or outside the model. For instance, processes and libraries are considered as trusted components, but sometimes they need to break MAC principles. Thus, they might need to reside outside of the MAC model. Furthermore, over classifying subjects or objects can happen. The BLP still does not deal with the creation or destruction of subjects or objects [30]. Security’s labels are not flexible and are not convenient for task execution. MAC needs a central authority to determine what information should be made accessible and by whom. For example, a manager might want to access information about a staff member, but s/he should not be able to have full access to the member’s file, as s/he could access and reveal sensitive information such as bank account details. As cloud computing is going to use current web applications to deliver their services, MAC has to deal with a lack of sophisticated

(31)

20

semantics models, which represent and communicate privileges and constraints that are provided via access control policies.

2.2.1.2 Discretionary Access Control (DAC) Model

The Discretionary Access Control (DAC) model, grants the owners of objects the ability to restrict access to their objects, or information in the objects based upon users’ identities or a membership in certain groups. The DAC model is generally less secure than the mandatory access control model, so it is used in environments that do not require a high level of protection. However, DAC is the most used model in commercial operating systems such as UNIX and Windows-based platforms [34] because it is more flexible and easier to be utilised than other models. There are two ways to implement a discretionary access control model, this can be achieved via identity based access control or by means of an access control matrix Access Control List (ACL) or capabilities [38].

The DAC depends on allowing owners of objects to control access permissions to objects, yet it has many side-effects when it is utilised in cloud computing. For instance, there is no mechanism or method to facilitate the management of improper rights (e.g. risk awareness), which owners of objects can give to users. Occasionally users are required to use privileges that reveal information about objects to third parties. For instance, a user can only read a file in a company, and then s/he can copy the file contents to another file in order to pass it to another user. The DAC does not have the ability to control information flow or deal with Trojan horses that can inherit access permissions [39]. In addition, a user may pass their rights to another user, and that can violate the integrity and confidentiality of objects. Finally, it is not scalable enough for cloud computing.

2.2.1.3 Role Based Access Control (RBAC) Model

Role-based access control (RBAC) is considered as a natural way to control access to resources in organizations and enterprises [35]. The motivation behind RBAC comes from considering “a subject’s responsibility is more important than who the subject is” [40]. In the RBAC model (see figure 3), a subject can have more than one role or be a member of multiple groups. For example, an employee within an organization can be a member in secretaries group and employees group.

(32)

21

Figure 3: Role-based access control model

Task-Role Based Access Control (T-RBAC) model is another access control approach that has been proposed, which is based upon the RBAC model [41]. However, it assigns permissions to tasks instead of roles. Users in this model are assigned roles, which are assigned tasks that have permissions. It uses the workflow authorization model for synchronizing workflow with authorization flow. The scheme has used tasks to support active access control and roles to support passive access control.

The RBAC model has many advantages compared to, DAC and MAC models, yet it has its own difficulties and problems when it is deployed in the real-world [42]. Firstly, picking the right roles that represent a system is not an easy task and dividing subjects into categories based upon roles might make things worse. Roles in the RBAC model classify subjects in a number of categories; thus each subject has to have a role in order to access the system. Despite that, roles can give a subject more rights than s/he necessarily needs to have, with a possibility of having another role which could lead to the violation of the access security policy. It fails to cope with the following issues:

1. It does not provide any kind of sensitivity to the information. For example some information is more sensitive than others such as the medical history in a patient file.

2. Relationships define according to identities not just roles such as the doctor-patient relationship. For example, a paediatric doctor should not be allowed to access a patient file in the psychology department.

(33)

22

3. It does not support the delegation principle, which is needed in organizations for dealing with absences of their staff. Furthermore, it does not consider the time and location constraints, which are utilised for restricting access to system files and decreasing the probability of information leakage. It also fails to cope with dynamic and random behaviours of users.

4. It does not support active responsibilities of staff as it does not separate tasks form roles. Moreover, dynamic activation of access rights for certain tasks is not supported.

5. The RBAC has to deal with a lack of sophisticated semantic models to represent and communicate privileges. For instance, a doctor in a remote area might not be able to access the system via cloud computing due to lack of syntactic and semantic support. It also has to cope with a semantic gap between the user authentication mechanisms and the authorization mechanisms.

6. In cloud computing, there is a huge demand for testing and verifying access control functions, which are considered as static tests. There are also other dynamic compliance functions that can be used as support functions; for example reporting alerting privileges or conflict of rules and monitoring the system current states [33]. For instance, a doctor who has full access to patients’ files in his/her department should not be allowed to move, copy them to another place or even access them from home.

7. Before utilising the RBAC in cloud computing, it has to ensure granting access decisions in a reasonable time and according to system requirements. For example, the response time is crucial in many applications such as a health care system. A consultant away from a hospital needs to access the system in a timely manner, disregarding a number of access requests to the RBAC and distance.

8. Any critical infrastructure service provider who aims to migrate to the cloud, with thousands of users, hundreds of roles, and millions of permissions face a tremendous task that cannot realistically be centralized by a small team of security administrators [43].

9. In a health care system, there is always a sequence of operations which will need to be controlled. For example, in order for a doctor to give a patient the right treatments, s/he needs to examine the patient’s physical conditions, look at the patient’s medical history

(34)

23

and asks for tests or scans. S/he might ask for help from another doctor or transfer some information to another hospital. Each one of the previous operations needs a different set of permissions. Thus, the RBAC may not be able to ensure access for a sequence of operations in cloud computing.

2.2.1.4 Attribute Based Access Control (ABAC) Model

The Attribute Based Access Control (ABAC) model relies on a set of attributes associated with a requester or a resource to be accessed in order to make access decisions [44]. There are many ways to define or use attributes in this model. An attribute can be a user’s work start date, a location of a user, a role of a user or all of them. Attributes may or may not be related to each other [45]. After defining attributes that are used in the system, each attribute is considered as a discrete value, and values of all attributes are compared against set of values by a policy decision point to grant or deny access. These kinds of models are also known as either Policy- Based Access Control (PBAC) or Claims Based Access Control (CBAC). Moreover, a subject does not have to be known in advance to the system, it just needs to authenticate itself to the system then provide its attributes. However, reaching an agreement about what kind of attributes should be used, and how many attributes are taken into account for making access decisions is a complex task in cloud computing [46]. This model has not at present been implemented for well-known operating systems [45]. Finally, proposing a security policy that can work accurately with this kind of access control model is vital, because the security policy is responsible for selecting the important attributes that are utilised to make access decisions.

2.2.1.5 Risk-Based Access Control (RBAC) Model

Risk-Based Access Control was proposed to cope with multinational organizations that face various kinds of policies and regulations [47]. This model tries to use different kinds of risk levels with environmental conditions and utilise the principle of “operational need” in order to make access decisions [42]. In Quantified Risk Adaptive Access Control (QRAAC) [48], risk is calculated as risk =V*P, where V is the information value that reflects the sensitivity level of the resource and P is the probability of unauthorized disclosure, which reflects the trustworthiness of the user. The security policy in this model is dynamic; it is changed according to a variety of risk levels stated on the security policy. However, this model is difficult to be deployed in cloud computing because of the amount of analysis required and number of systems to be merged to compute risk levels. It needs expertise that can deal with

(35)

24

the model. Finally, security policies and environmental conditions need to be standardized as they play a crucial role in making access decisions [42].

2.2.1.6 Existing Proposed Solutions

There are a number of access control models were proposed for cloud computing, yet each one of them was targeted a specific vulnerability in cloud computing without addressing the security requirements of cloud computing services. Furthermore, none of them was implemented in a real scenario or environment and tested against any type of access control attacks. They had not considered the components and processes engaged in any attempts to access data or resources in cloud computing. For example, virtual machines that may be used to access data and any processes or programs used to read or transfer data. Moreover, there is always a sequence of operations that need to be controlled in order to access cloud services. Thus, a cloud based access control model needs to be tested in such cases with different scenarios to make sure right permissions are given for every task or action engaged in these operations.

Most of the proposed models were tried to deploy the conventional access control models directly to cloud computing. However, no improvements had been made to these models before they attended to be deployed in cloud computing. Cloud computing service providers and consumer have their concerns and security requirements from cloud based access control models. None of the conventional access control models can be utilised in their current state in the cloud as stated in the second paragraph. The well-known access control models are suffering from semantic problems which affect the interoperability between various cloud service providers. Cloud computing and cloud based access control models have heterogeneity problems, yet there is no sign how these problems can be solved in the proposed models. The following number of proposed access control models for cloud computing utilised the traditional access control models:

1. Wang et al. proposed an adaptive access control algorithm for cloud computing environments based upon the contextual information such as security information and time [13]. In this scheme, authors combined the trust relationship (either between a number of cloud service providers, or a cloud service provider and its consumers), with the role based access control system. The trust level is updated and changed automatically by the trust management system according to evolution done by clouds

(36)

25

after each transaction. In this scheme, authors assume every cloud has a global certificate Authority Authorization Centre (AAC), which is responsible for access control. Combining the access control system with a trust level calculated and modified based upon a user’s behaviours, is a good approach. However, scores related to a trust level that is calculated by either users or resources can cause misbehaving problems. Furthermore, the type of mechanism used and how the access can be granted is not evident. The AAC has the potential to be a single-point of attack. In the model, it is not clear where the RBAC model is located and how access to resources is granted (roles, trust scores or both).

2. Tianyi et al. proposed the cloud optimized RBAC model (coRBAC) [32]. It inherits many features from RBAC and distributed RBAC (dRBAC) such as dRBAC’s domain. It merges the dRBAC’s distributed authentication services together and gives the CA ability to issue certificates. It also allocates domains for enterprises and companies with the capability to manage their roles and users in their own inner network. The coRBAC implements an internal RBAC in each organization, and there is only one manager role called D.manager in each internal RBAC. This approach depends on Certificate Authority (CA) for issuing users’ certificates, which might cause efficiency and scalability problems as a new certificate must be issued each time access is required. A third party infrastructure for storing some information such as domain information has been utilised, yet it is not clear how it enhances the level of security, and it might bring other concerns such as trust issues. The network performance can be affected by using the CA as it can be a single point of attack and bottleneck in some situations. Moreover, they have not proposed any mechanism for dealing with heterogeneity caused by bringing various security domains together in the model. In the issued certificate, no information about the security domain is provided.

3. Sun et al. proposed a semantic access control scheme for cloud computing to authenticate users of healthcare systems based upon ontologies [49]. This scheme implements an access control system in semantic web environments and uses ontologies for the RBAC security model. The authors extended the RBAC model by using semantic web technologies. This scheme has not sorted out the dynamic activation problems in the RBAC or diversity of data sensitivity. For a health care system that aims to migrate to the cloud, with thousands of users, hundreds of roles,

(37)

26

and millions of permissions, it is a tremendous task that cannot realistically be centralized by a small team of security administrators. Moreover, in the health care system, there is always a sequence of operations that need to be controlled. Thus, the model needs to investigate how the right permissions can be given for every task or action engaged to complete the preformed operations.

4. Task-Role-Based Access Control scheme is another access control approach which has been proposed for healthcare systems in the cloud computing environment [50]. Permissions in Task-Based Authorization Control (TBAC) are activated or deactivated according to the current task or process state. As there is no separation between roles and tasks, they use different factors such as users, information resources, roles, tasks, workflow, and business rules, to solve the separation problem and determine the access control mechanism. This scheme was implemented in the Amazon Elastic Compute Cloud (Amazon EC2), yet there is no clear sign about how semantic problems can be handled, how information is meaningfully shared among different hospitals, and how the separation problem between roles and tasks is solved. Furthermore, health care systems usually suffer from heterogeneity problems and T-RBAC as well, yet here there is no sign how these problems can be solved. It does not provide any sensitivity levels to information, as it must be considered that some information is more sensitive than others such as medical history.

5. A reference ontology framework using Role-Based Access Control model was proposed by [51]. It aims at providing an appropriate policy with an exact role for every tenant. In addition, different policies are used to grant permissions such as access policy and security policy. Policies might be used as components of a role according to the role’s characteristics, such as priority and business values. However, this approach needs good ontology transformation operations algorithms to compare the similarity of different ontology. A new back-end database schema to support O-RBAC is needed for this scheme. Furthermore, it has to be evaluated by testing the role/user ratio according to the position hierarchy. It does not give sensitivity levels to the information as some information is more sensitive than others, and does not support the delegation principle and dynamic activation of access rights for certain tasks. This model has to ensure granting access decisions in a reasonable time and according to system requirements.

(38)

Securing Access to Cloud Computing for Critical Infrastructure